Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-37541 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | OVMS |
| Product | Open Vehicle Monitoring System 3 |
| CVSS Score | 10.0 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames.
Required Actions
Update OVMS3 to a release newer than 3.3.005 that contains the GVRET length validation fix. Until updated, restrict network access to interfaces accepting GVRET data to trusted sources only, and physically secure OVMS3 devices against unauthorized access to diagnostic ports. The CVSS 10.0 score makes this the highest update priority.
Who Is Affected?
This vulnerability affects Open Vehicle Monitoring System 3 by the OVMS project. Check whether your organization uses OVMS3 for EV monitoring and roll out the firmware update without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
